578.4 Flashcards
What is Human operated ransomware?
HOR is a class of ransomware attacks where the adversary penetrates the network and tailors operation to the victim.
Threat Intelligence Platforms (TIPs)
MISP Threat_Note CRITs ThreatConnect ThreatQuotient Anomali EclecticIQ
What does MISP stand for?
Malware Information Sharing Platform.
Has a focus on IOCs and automation. Supports multiple formats to support. Open source with optional fees for professional support.
MISP has a strong usage in Europe due to a number of CERT’s active involvement.
Best practices of storing threat intel infos
- Make a common format
- Make the method scaleable
- Make the method secure
- Make the method shareable
Logical fallacies (logische Irrtümer)
Logical fallacies are flaws in reason. They often appear in cyber threat intelligence assessments. There are two main types:
- Anecdotal Fallacy
- Appeal to Probability
They occur when arguments do not logcially make sense.
Fallacies: Anecdotal Fallacy
Personal Experience is used over Compelling Evidence.
“I worked an incident like this before and it was China, so your analysis that it’s not must be wrong”.
Fallacies: Appeal to Probability
Making a determination based on what’s most likely the case.
“Russia is hacking everything these days, so the intrusion is likely Russia based”.
Common CTI informal fallacies
- Appeal to the stone
- Argument from Silence
- Argument from repetition
Others:
- Burden of Proof
- Middle Ground
Fallacies: Appeal to the stone
Identifying a claim as absurd without any proof to dismiss it.
“That’s absurd to think that the US would compromise an allied government. Let’s move on.”
Fallacies: Argument from Silence
Accpeting a conclusion due to lack of evidence against it.
“I have proof it wasn’t the UK and no proof it wasn’t Germany. So, I assess it was Germany.”
Fallacies: Argument from Repetition
Arguing so much that eventually people accept the conclusion to end it.
“We’ve been here for five hours; fine, Iran did the attack.”
Fallacies: Burden of Proof
Requiring someone to disprove someone else’s claim instead of requiring proof.
Fallacies: Middle Ground
Making a compromise between two points an accepted truth.
Bias - Cognitive Biases
Cognitive Biases (Voreingenommenheit) are constraints on how we as analysts think that influence incorrect decisions and assessments. They allow analysts to create their own version of reality where inaccurate judgments and illogical interpretations occur.
Bias - Mirror Image
Common bias that forms when you analyze a situation, person or entity with your context, background, experiences, etc. instead of theirs.
Bias - Anchoring / Focusing
Overvaluing one piece of information. Forces an analyst to be unable to seek new information or analyze competing information.
Bias - Confirmation bias
Selectively supporting one hypothesis. Reject refuting evidence. Greater significance to supporting data, lesser significance to contradicting data.
Bias - Congruence Bias
- Form of confirmation bias
- Maps to competing Hypotheses
- Failure to consider alternative hyptotheses
- Risk when hypothesis fits well
Bias - Hindsight Bias
“I knew it all along”. Unlikely outcome seen as obvious. Results in vicitm blaming.
Bias - Illusory Correlation
Observe correlation when none exits. Common when associating an unusual or extreme experience with all future experiences. Stereotypes are the most common type of illusory correlation.
Seven steps of analysis of competing hypotheses
- Hypothesis
- Evidence
- Diagnostics
- Refinement
- Prioritization
- Sensitivity
- Conclusion and Evaluation
AoCH - 1: Enumerate Hyptotheses
- Account for all evidence
- Include others
- Do not consider feasibility
- Include unproven hypotheses
- Exclude disproven hypotheses
AoCH - 2: Support the Hyptoheses
- Seek additional evidence
- Include as evidence: deductions / assumptions
- Discuss missing evidence
AoCH - 3: Diagnostics
Comparison of hypotheses in a matrix of hyptheses and evidence. Analysis proceeds horizontally across the hypotheses, for each piece of evidence individually.
AoCH - 4: Refine the Matrix
- Remove nondiagnostic evidence
- Add overlooked evidence now applicable
- Include formulation of new hypotheses
- Document evidence excluded
AoCH - 5: Prioritize the Hypotheses
The Hypotheses in the matrix are evaluated vertically, considering each hypotheses for its relative likelihood based on the evidence presented.
AoCH - 6: Determine Evidentiary Dependence
- How many pieces of evidence are critical?
- What is confidence in this evidence?
- Is evidence ephemeral (flüchtig)?
AoCH - 7: Report Conclusions
Final report.
- Hypotheses considered
- Key evidence
- Proper estimative language
Three different types of analysis
- Link analysis
- Data analysis
- Trend analysis
Common link analysis tools
- Maltego
- IBM Analyst’s Notebook
- Palantir Gotham / Metropolis
- Centrifuge
- Gephi / Graphviz
- Neo4J
- Titan
- Linkurious
- Cambridge Intelligence
Data analysis
Cleaning, transforming, and modeling of data. Insights revealed through new techniques, models, and correlations between datasets.
Temporal Data Analysis
Analysis of data over time.Reveals patterns of activity that reoccur. Useful for trending adversarial activity.
Trend analysis
Kill Chain or Diamond Model completion yields intelligence. As you detect and response to intrusions over time, you’ll begin to notice trends in intrusions.
Style Guide
A Style Guide can contain anything that’s useful to you that’s going to be mid-to-long-term value to your team but, at a minium, it must include:
- tream structure
- accepted lexicon
- words, phrases, and actions to not do
- Sample structure analytical techniques
- Sample intelligence requirements with exmaple outputs
- Guidance to analysts on how to create clusters and finalize intelligence products
- Key processes to follow
Names / Identifiers
Name your own campaigns. Borrow names where it makes sense. Using own names is good:
- Frees analysts from reliance on others. Clarifies when your evidence defines campaigns slightly differently.
Rosetta Stone
Maps known attribution, campaign names, and malware used
One-to-One Mapping
Clusters cannot have a one-to-one relationship. Clusters can have links to other clusters. Links can be one or more of the Diamond Model vertices.
Confidently Correlating Clusters
Visual and Link Analysis quickly identify patterns to help identify campaigns.
Quick pattern matching will incorrectly correlate some intrusions, which may eventually be key.
To confidently correlate clusters, we can use ACH mixed with Kill Chain and Diamond, as well as the Rule of 2.
When to use AoCH for intrusion-cluster correlation?
- Lack of evidence makes correlation ambiguous
- Intrusion maps to multiple similarly defined clusters
- Disagreement between analysts exists.
How to use AoCH for intrusion-cluster correlation?
- Follow AoCH steps
- Classify evidence based on intrusion definition: Kill Chain or Diamond
- Confidence in assessment informed by support in each clustering of evidence.
External Intrusion Reports
- Complement Knowledge Gaps
- Do not merge with your data
Using the vendor info or name as your campaign name forces you to lose control of the narrative.
Diamond Model Meta-Features
Timestamp (start and end) Phase Result Direction Methodology Resources
Each core feature and its meta-features should have a confidence value.
Six distinct steps for creating an activity group
- Analytical Problem
- Feature Selection
- Creation
- Growth
- Analysis
- Redefintion
Rule of 2
The Rule of 2 is simply looking for consistency in intrusions in some key way to create an activity group. If the victims are the same or similar, you might have also identified a specific campaign.
Retire Clusters
- Campaign states: Active, Inactive, Dormant
- Keep all information pertaining to clusters indefinitely
- Future intrusions can illuminate past
- Future clusters may correlate to past clusters
What does ACH stand for?
Analysis of Competing Hypotheses
